From commits-return-12857-archive-asf-public=cust-asf.ponee.io@sentry.apache.org Wed Sep 26 20:58:37 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 7D861180675 for ; Wed, 26 Sep 2018 20:58:36 +0200 (CEST) Received: (qmail 3231 invoked by uid 500); 26 Sep 2018 18:58:35 -0000 Mailing-List: contact commits-help@sentry.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@sentry.apache.org Delivered-To: mailing list commits@sentry.apache.org Received: (qmail 3222 invoked by uid 99); 26 Sep 2018 18:58:35 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 26 Sep 2018 18:58:35 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id BB427E0058; Wed, 26 Sep 2018 18:58:34 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: hahao@apache.org To: commits@sentry.apache.org Date: Wed, 26 Sep 2018 18:58:35 -0000 Message-Id: In-Reply-To: <44f00d8140ca4a6ca11d314e62e1b840@git.apache.org> References: <44f00d8140ca4a6ca11d314e62e1b840@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [2/2] sentry git commit: SENTRY-2371: Add a new thrift API for getting all privileges a user has (Hao Hao, reviewed by Na Li, Sergio Pena) SENTRY-2371: Add a new thrift API for getting all privileges a user has (Hao Hao, reviewed by Na Li, Sergio Pena) Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/e90ab35d Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/e90ab35d Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/e90ab35d Branch: refs/heads/master Commit: e90ab35db32e34eb359f39cd94a9ca48b8c7aeda Parents: c7c5df2 Author: Hao Hao Authored: Tue Sep 25 14:10:41 2018 -0700 Committer: Hao Hao Committed: Wed Sep 26 11:54:08 2018 -0700 ---------------------------------------------------------------------- .../api/service/thrift/SentryPolicyService.java | 858 +++++++++++++++++++ .../main/resources/sentry_policy_service.thrift | 10 +- .../api/service/thrift/SentryMetrics.java | 2 + .../thrift/SentryPolicyStoreProcessor.java | 73 +- .../db/service/persistent/SentryStore.java | 35 +- .../persistent/SentryStoreInterface.java | 32 +- .../db/service/persistent/TestSentryStore.java | 43 + 7 files changed, 1032 insertions(+), 21 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/e90ab35d/sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/SentryPolicyService.java ---------------------------------------------------------------------- diff --git a/sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/SentryPolicyService.java b/sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/SentryPolicyService.java index 0cbd8ab..7025653 100644 --- a/sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/SentryPolicyService.java +++ b/sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/SentryPolicyService.java @@ -63,6 +63,8 @@ public class SentryPolicyService { public TListSentryPrivilegesResponse list_sentry_privileges_by_user(TListSentryPrivilegesRequest request) throws org.apache.thrift.TException; + public TListSentryPrivilegesResponse list_sentry_privileges_by_user_and_itsgroups(TListSentryPrivilegesRequest request) throws org.apache.thrift.TException; + public TListSentryPrivilegesForProviderResponse list_sentry_privileges_for_provider(TListSentryPrivilegesForProviderRequest request) throws org.apache.thrift.TException; public TDropPrivilegesResponse drop_sentry_privilege(TDropPrivilegesRequest request) throws org.apache.thrift.TException; @@ -113,6 +115,8 @@ public class SentryPolicyService { public void list_sentry_privileges_by_user(TListSentryPrivilegesRequest request, org.apache.thrift.async.AsyncMethodCallback resultHandler) throws org.apache.thrift.TException; + public void list_sentry_privileges_by_user_and_itsgroups(TListSentryPrivilegesRequest request, org.apache.thrift.async.AsyncMethodCallback resultHandler) throws org.apache.thrift.TException; + public void list_sentry_privileges_for_provider(TListSentryPrivilegesForProviderRequest request, org.apache.thrift.async.AsyncMethodCallback resultHandler) throws org.apache.thrift.TException; public void drop_sentry_privilege(TDropPrivilegesRequest request, org.apache.thrift.async.AsyncMethodCallback resultHandler) throws org.apache.thrift.TException; @@ -433,6 +437,29 @@ public class SentryPolicyService { throw new org.apache.thrift.TApplicationException(org.apache.thrift.TApplicationException.MISSING_RESULT, "list_sentry_privileges_by_user failed: unknown result"); } + public TListSentryPrivilegesResponse list_sentry_privileges_by_user_and_itsgroups(TListSentryPrivilegesRequest request) throws org.apache.thrift.TException + { + send_list_sentry_privileges_by_user_and_itsgroups(request); + return recv_list_sentry_privileges_by_user_and_itsgroups(); + } + + public void send_list_sentry_privileges_by_user_and_itsgroups(TListSentryPrivilegesRequest request) throws org.apache.thrift.TException + { + list_sentry_privileges_by_user_and_itsgroups_args args = new list_sentry_privileges_by_user_and_itsgroups_args(); + args.setRequest(request); + sendBase("list_sentry_privileges_by_user_and_itsgroups", args); + } + + public TListSentryPrivilegesResponse recv_list_sentry_privileges_by_user_and_itsgroups() throws org.apache.thrift.TException + { + list_sentry_privileges_by_user_and_itsgroups_result result = new list_sentry_privileges_by_user_and_itsgroups_result(); + receiveBase(result, "list_sentry_privileges_by_user_and_itsgroups"); + if (result.isSetSuccess()) { + return result.success; + } + throw new org.apache.thrift.TApplicationException(org.apache.thrift.TApplicationException.MISSING_RESULT, "list_sentry_privileges_by_user_and_itsgroups failed: unknown result"); + } + public TListSentryPrivilegesForProviderResponse list_sentry_privileges_for_provider(TListSentryPrivilegesForProviderRequest request) throws org.apache.thrift.TException { send_list_sentry_privileges_for_provider(request); @@ -1088,6 +1115,38 @@ public class SentryPolicyService { } } + public void list_sentry_privileges_by_user_and_itsgroups(TListSentryPrivilegesRequest request, org.apache.thrift.async.AsyncMethodCallback resultHandler) throws org.apache.thrift.TException { + checkReady(); + list_sentry_privileges_by_user_and_itsgroups_call method_call = new list_sentry_privileges_by_user_and_itsgroups_call(request, resultHandler, this, ___protocolFactory, ___transport); + this.___currentMethod = method_call; + ___manager.call(method_call); + } + + public static class list_sentry_privileges_by_user_and_itsgroups_call extends org.apache.thrift.async.TAsyncMethodCall { + private TListSentryPrivilegesRequest request; + public list_sentry_privileges_by_user_and_itsgroups_call(TListSentryPrivilegesRequest request, org.apache.thrift.async.AsyncMethodCallback resultHandler, org.apache.thrift.async.TAsyncClient client, org.apache.thrift.protocol.TProtocolFactory protocolFactory, org.apache.thrift.transport.TNonblockingTransport transport) throws org.apache.thrift.TException { + super(client, protocolFactory, transport, resultHandler, false); + this.request = request; + } + + public void write_args(org.apache.thrift.protocol.TProtocol prot) throws org.apache.thrift.TException { + prot.writeMessageBegin(new org.apache.thrift.protocol.TMessage("list_sentry_privileges_by_user_and_itsgroups", org.apache.thrift.protocol.TMessageType.CALL, 0)); + list_sentry_privileges_by_user_and_itsgroups_args args = new list_sentry_privileges_by_user_and_itsgroups_args(); + args.setRequest(request); + args.write(prot); + prot.writeMessageEnd(); + } + + public TListSentryPrivilegesResponse getResult() throws org.apache.thrift.TException { + if (getState() != org.apache.thrift.async.TAsyncMethodCall.State.RESPONSE_READ) { + throw new IllegalStateException("Method call not finished!"); + } + org.apache.thrift.transport.TMemoryInputTransport memoryTransport = new org.apache.thrift.transport.TMemoryInputTransport(getFrameBuffer().array()); + org.apache.thrift.protocol.TProtocol prot = client.getProtocolFactory().getProtocol(memoryTransport); + return (new Client(prot)).recv_list_sentry_privileges_by_user_and_itsgroups(); + } + } + public void list_sentry_privileges_for_provider(TListSentryPrivilegesForProviderRequest request, org.apache.thrift.async.AsyncMethodCallback resultHandler) throws org.apache.thrift.TException { checkReady(); list_sentry_privileges_for_provider_call method_call = new list_sentry_privileges_for_provider_call(request, resultHandler, this, ___protocolFactory, ___transport); @@ -1465,6 +1524,7 @@ public class SentryPolicyService { processMap.put("list_sentry_roles_by_user", new list_sentry_roles_by_user()); processMap.put("list_sentry_privileges_by_role", new list_sentry_privileges_by_role()); processMap.put("list_sentry_privileges_by_user", new list_sentry_privileges_by_user()); + processMap.put("list_sentry_privileges_by_user_and_itsgroups", new list_sentry_privileges_by_user_and_itsgroups()); processMap.put("list_sentry_privileges_for_provider", new list_sentry_privileges_for_provider()); processMap.put("drop_sentry_privilege", new drop_sentry_privilege()); processMap.put("rename_sentry_privilege", new rename_sentry_privilege()); @@ -1719,6 +1779,26 @@ public class SentryPolicyService { } } + public static class list_sentry_privileges_by_user_and_itsgroups extends org.apache.thrift.ProcessFunction { + public list_sentry_privileges_by_user_and_itsgroups() { + super("list_sentry_privileges_by_user_and_itsgroups"); + } + + public list_sentry_privileges_by_user_and_itsgroups_args getEmptyArgsInstance() { + return new list_sentry_privileges_by_user_and_itsgroups_args(); + } + + protected boolean isOneway() { + return false; + } + + public list_sentry_privileges_by_user_and_itsgroups_result getResult(I iface, list_sentry_privileges_by_user_and_itsgroups_args args) throws org.apache.thrift.TException { + list_sentry_privileges_by_user_and_itsgroups_result result = new list_sentry_privileges_by_user_and_itsgroups_result(); + result.success = iface.list_sentry_privileges_by_user_and_itsgroups(args.request); + return result; + } + } + public static class list_sentry_privileges_for_provider extends org.apache.thrift.ProcessFunction { public list_sentry_privileges_for_provider() { super("list_sentry_privileges_for_provider"); @@ -1964,6 +2044,7 @@ public class SentryPolicyService { processMap.put("list_sentry_roles_by_user", new list_sentry_roles_by_user()); processMap.put("list_sentry_privileges_by_role", new list_sentry_privileges_by_role()); processMap.put("list_sentry_privileges_by_user", new list_sentry_privileges_by_user()); + processMap.put("list_sentry_privileges_by_user_and_itsgroups", new list_sentry_privileges_by_user_and_itsgroups()); processMap.put("list_sentry_privileges_for_provider", new list_sentry_privileges_for_provider()); processMap.put("drop_sentry_privilege", new drop_sentry_privilege()); processMap.put("rename_sentry_privilege", new rename_sentry_privilege()); @@ -2590,6 +2671,57 @@ public class SentryPolicyService { } } + public static class list_sentry_privileges_by_user_and_itsgroups extends org.apache.thrift.AsyncProcessFunction { + public list_sentry_privileges_by_user_and_itsgroups() { + super("list_sentry_privileges_by_user_and_itsgroups"); + } + + public list_sentry_privileges_by_user_and_itsgroups_args getEmptyArgsInstance() { + return new list_sentry_privileges_by_user_and_itsgroups_args(); + } + + public AsyncMethodCallback getResultHandler(final AsyncFrameBuffer fb, final int seqid) { + final org.apache.thrift.AsyncProcessFunction fcall = this; + return new AsyncMethodCallback() { + public void onComplete(TListSentryPrivilegesResponse o) { + list_sentry_privileges_by_user_and_itsgroups_result result = new list_sentry_privileges_by_user_and_itsgroups_result(); + result.success = o; + try { + fcall.sendResponse(fb,result, org.apache.thrift.protocol.TMessageType.REPLY,seqid); + return; + } catch (Exception e) { + LOGGER.error("Exception writing to internal frame buffer", e); + } + fb.close(); + } + public void onError(Exception e) { + byte msgType = org.apache.thrift.protocol.TMessageType.REPLY; + org.apache.thrift.TBase msg; + list_sentry_privileges_by_user_and_itsgroups_result result = new list_sentry_privileges_by_user_and_itsgroups_result(); + { + msgType = org.apache.thrift.protocol.TMessageType.EXCEPTION; + msg = (org.apache.thrift.TBase)new org.apache.thrift.TApplicationException(org.apache.thrift.TApplicationException.INTERNAL_ERROR, e.getMessage()); + } + try { + fcall.sendResponse(fb,msg,msgType,seqid); + return; + } catch (Exception ex) { + LOGGER.error("Exception writing to internal frame buffer", ex); + } + fb.close(); + } + }; + } + + protected boolean isOneway() { + return false; + } + + public void start(I iface, list_sentry_privileges_by_user_and_itsgroups_args args, org.apache.thrift.async.AsyncMethodCallback resultHandler) throws TException { + iface.list_sentry_privileges_by_user_and_itsgroups(args.request,resultHandler); + } + } + public static class list_sentry_privileges_for_provider extends org.apache.thrift.AsyncProcessFunction { public list_sentry_privileges_for_provider() { super("list_sentry_privileges_for_provider"); @@ -11865,6 +11997,732 @@ public class SentryPolicyService { } + public static class list_sentry_privileges_by_user_and_itsgroups_args implements org.apache.thrift.TBase, java.io.Serializable, Cloneable, Comparable { + private static final org.apache.thrift.protocol.TStruct STRUCT_DESC = new org.apache.thrift.protocol.TStruct("list_sentry_privileges_by_user_and_itsgroups_args"); + + private static final org.apache.thrift.protocol.TField REQUEST_FIELD_DESC = new org.apache.thrift.protocol.TField("request", org.apache.thrift.protocol.TType.STRUCT, (short)1); + + private static final Map, SchemeFactory> schemes = new HashMap, SchemeFactory>(); + static { + schemes.put(StandardScheme.class, new list_sentry_privileges_by_user_and_itsgroups_argsStandardSchemeFactory()); + schemes.put(TupleScheme.class, new list_sentry_privileges_by_user_and_itsgroups_argsTupleSchemeFactory()); + } + + private TListSentryPrivilegesRequest request; // required + + /** The set of fields this struct contains, along with convenience methods for finding and manipulating them. */ + public enum _Fields implements org.apache.thrift.TFieldIdEnum { + REQUEST((short)1, "request"); + + private static final Map byName = new HashMap(); + + static { + for (_Fields field : EnumSet.allOf(_Fields.class)) { + byName.put(field.getFieldName(), field); + } + } + + /** + * Find the _Fields constant that matches fieldId, or null if its not found. + */ + public static _Fields findByThriftId(int fieldId) { + switch(fieldId) { + case 1: // REQUEST + return REQUEST; + default: + return null; + } + } + + /** + * Find the _Fields constant that matches fieldId, throwing an exception + * if it is not found. + */ + public static _Fields findByThriftIdOrThrow(int fieldId) { + _Fields fields = findByThriftId(fieldId); + if (fields == null) throw new IllegalArgumentException("Field " + fieldId + " doesn't exist!"); + return fields; + } + + /** + * Find the _Fields constant that matches name, or null if its not found. + */ + public static _Fields findByName(String name) { + return byName.get(name); + } + + private final short _thriftId; + private final String _fieldName; + + _Fields(short thriftId, String fieldName) { + _thriftId = thriftId; + _fieldName = fieldName; + } + + public short getThriftFieldId() { + return _thriftId; + } + + public String getFieldName() { + return _fieldName; + } + } + + // isset id assignments + public static final Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> metaDataMap; + static { + Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> tmpMap = new EnumMap<_Fields, org.apache.thrift.meta_data.FieldMetaData>(_Fields.class); + tmpMap.put(_Fields.REQUEST, new org.apache.thrift.meta_data.FieldMetaData("request", org.apache.thrift.TFieldRequirementType.DEFAULT, + new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, TListSentryPrivilegesRequest.class))); + metaDataMap = Collections.unmodifiableMap(tmpMap); + org.apache.thrift.meta_data.FieldMetaData.addStructMetaDataMap(list_sentry_privileges_by_user_and_itsgroups_args.class, metaDataMap); + } + + public list_sentry_privileges_by_user_and_itsgroups_args() { + } + + public list_sentry_privileges_by_user_and_itsgroups_args( + TListSentryPrivilegesRequest request) + { + this(); + this.request = request; + } + + /** + * Performs a deep copy on other. + */ + public list_sentry_privileges_by_user_and_itsgroups_args(list_sentry_privileges_by_user_and_itsgroups_args other) { + if (other.isSetRequest()) { + this.request = new TListSentryPrivilegesRequest(other.request); + } + } + + public list_sentry_privileges_by_user_and_itsgroups_args deepCopy() { + return new list_sentry_privileges_by_user_and_itsgroups_args(this); + } + + @Override + public void clear() { + this.request = null; + } + + public TListSentryPrivilegesRequest getRequest() { + return this.request; + } + + public void setRequest(TListSentryPrivilegesRequest request) { + this.request = request; + } + + public void unsetRequest() { + this.request = null; + } + + /** Returns true if field request is set (has been assigned a value) and false otherwise */ + public boolean isSetRequest() { + return this.request != null; + } + + public void setRequestIsSet(boolean value) { + if (!value) { + this.request = null; + } + } + + public void setFieldValue(_Fields field, Object value) { + switch (field) { + case REQUEST: + if (value == null) { + unsetRequest(); + } else { + setRequest((TListSentryPrivilegesRequest)value); + } + break; + + } + } + + public Object getFieldValue(_Fields field) { + switch (field) { + case REQUEST: + return getRequest(); + + } + throw new IllegalStateException(); + } + + /** Returns true if field corresponding to fieldID is set (has been assigned a value) and false otherwise */ + public boolean isSet(_Fields field) { + if (field == null) { + throw new IllegalArgumentException(); + } + + switch (field) { + case REQUEST: + return isSetRequest(); + } + throw new IllegalStateException(); + } + + @Override + public boolean equals(Object that) { + if (that == null) + return false; + if (that instanceof list_sentry_privileges_by_user_and_itsgroups_args) + return this.equals((list_sentry_privileges_by_user_and_itsgroups_args)that); + return false; + } + + public boolean equals(list_sentry_privileges_by_user_and_itsgroups_args that) { + if (that == null) + return false; + + boolean this_present_request = true && this.isSetRequest(); + boolean that_present_request = true && that.isSetRequest(); + if (this_present_request || that_present_request) { + if (!(this_present_request && that_present_request)) + return false; + if (!this.request.equals(that.request)) + return false; + } + + return true; + } + + @Override + public int hashCode() { + List list = new ArrayList(); + + boolean present_request = true && (isSetRequest()); + list.add(present_request); + if (present_request) + list.add(request); + + return list.hashCode(); + } + + @Override + public int compareTo(list_sentry_privileges_by_user_and_itsgroups_args other) { + if (!getClass().equals(other.getClass())) { + return getClass().getName().compareTo(other.getClass().getName()); + } + + int lastComparison = 0; + + lastComparison = Boolean.valueOf(isSetRequest()).compareTo(other.isSetRequest()); + if (lastComparison != 0) { + return lastComparison; + } + if (isSetRequest()) { + lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.request, other.request); + if (lastComparison != 0) { + return lastComparison; + } + } + return 0; + } + + public _Fields fieldForId(int fieldId) { + return _Fields.findByThriftId(fieldId); + } + + public void read(org.apache.thrift.protocol.TProtocol iprot) throws org.apache.thrift.TException { + schemes.get(iprot.getScheme()).getScheme().read(iprot, this); + } + + public void write(org.apache.thrift.protocol.TProtocol oprot) throws org.apache.thrift.TException { + schemes.get(oprot.getScheme()).getScheme().write(oprot, this); + } + + @Override + public String toString() { + StringBuilder sb = new StringBuilder("list_sentry_privileges_by_user_and_itsgroups_args("); + boolean first = true; + + sb.append("request:"); + if (this.request == null) { + sb.append("null"); + } else { + sb.append(this.request); + } + first = false; + sb.append(")"); + return sb.toString(); + } + + public void validate() throws org.apache.thrift.TException { + // check for required fields + // check for sub-struct validity + if (request != null) { + request.validate(); + } + } + + private void writeObject(java.io.ObjectOutputStream out) throws java.io.IOException { + try { + write(new org.apache.thrift.protocol.TCompactProtocol(new org.apache.thrift.transport.TIOStreamTransport(out))); + } catch (org.apache.thrift.TException te) { + throw new java.io.IOException(te); + } + } + + private void readObject(java.io.ObjectInputStream in) throws java.io.IOException, ClassNotFoundException { + try { + read(new org.apache.thrift.protocol.TCompactProtocol(new org.apache.thrift.transport.TIOStreamTransport(in))); + } catch (org.apache.thrift.TException te) { + throw new java.io.IOException(te); + } + } + + private static class list_sentry_privileges_by_user_and_itsgroups_argsStandardSchemeFactory implements SchemeFactory { + public list_sentry_privileges_by_user_and_itsgroups_argsStandardScheme getScheme() { + return new list_sentry_privileges_by_user_and_itsgroups_argsStandardScheme(); + } + } + + private static class list_sentry_privileges_by_user_and_itsgroups_argsStandardScheme extends StandardScheme { + + public void read(org.apache.thrift.protocol.TProtocol iprot, list_sentry_privileges_by_user_and_itsgroups_args struct) throws org.apache.thrift.TException { + org.apache.thrift.protocol.TField schemeField; + iprot.readStructBegin(); + while (true) + { + schemeField = iprot.readFieldBegin(); + if (schemeField.type == org.apache.thrift.protocol.TType.STOP) { + break; + } + switch (schemeField.id) { + case 1: // REQUEST + if (schemeField.type == org.apache.thrift.protocol.TType.STRUCT) { + struct.request = new TListSentryPrivilegesRequest(); + struct.request.read(iprot); + struct.setRequestIsSet(true); + } else { + org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); + } + break; + default: + org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); + } + iprot.readFieldEnd(); + } + iprot.readStructEnd(); + struct.validate(); + } + + public void write(org.apache.thrift.protocol.TProtocol oprot, list_sentry_privileges_by_user_and_itsgroups_args struct) throws org.apache.thrift.TException { + struct.validate(); + + oprot.writeStructBegin(STRUCT_DESC); + if (struct.request != null) { + oprot.writeFieldBegin(REQUEST_FIELD_DESC); + struct.request.write(oprot); + oprot.writeFieldEnd(); + } + oprot.writeFieldStop(); + oprot.writeStructEnd(); + } + + } + + private static class list_sentry_privileges_by_user_and_itsgroups_argsTupleSchemeFactory implements SchemeFactory { + public list_sentry_privileges_by_user_and_itsgroups_argsTupleScheme getScheme() { + return new list_sentry_privileges_by_user_and_itsgroups_argsTupleScheme(); + } + } + + private static class list_sentry_privileges_by_user_and_itsgroups_argsTupleScheme extends TupleScheme { + + @Override + public void write(org.apache.thrift.protocol.TProtocol prot, list_sentry_privileges_by_user_and_itsgroups_args struct) throws org.apache.thrift.TException { + TTupleProtocol oprot = (TTupleProtocol) prot; + BitSet optionals = new BitSet(); + if (struct.isSetRequest()) { + optionals.set(0); + } + oprot.writeBitSet(optionals, 1); + if (struct.isSetRequest()) { + struct.request.write(oprot); + } + } + + @Override + public void read(org.apache.thrift.protocol.TProtocol prot, list_sentry_privileges_by_user_and_itsgroups_args struct) throws org.apache.thrift.TException { + TTupleProtocol iprot = (TTupleProtocol) prot; + BitSet incoming = iprot.readBitSet(1); + if (incoming.get(0)) { + struct.request = new TListSentryPrivilegesRequest(); + struct.request.read(iprot); + struct.setRequestIsSet(true); + } + } + } + + } + + public static class list_sentry_privileges_by_user_and_itsgroups_result implements org.apache.thrift.TBase, java.io.Serializable, Cloneable, Comparable { + private static final org.apache.thrift.protocol.TStruct STRUCT_DESC = new org.apache.thrift.protocol.TStruct("list_sentry_privileges_by_user_and_itsgroups_result"); + + private static final org.apache.thrift.protocol.TField SUCCESS_FIELD_DESC = new org.apache.thrift.protocol.TField("success", org.apache.thrift.protocol.TType.STRUCT, (short)0); + + private static final Map, SchemeFactory> schemes = new HashMap, SchemeFactory>(); + static { + schemes.put(StandardScheme.class, new list_sentry_privileges_by_user_and_itsgroups_resultStandardSchemeFactory()); + schemes.put(TupleScheme.class, new list_sentry_privileges_by_user_and_itsgroups_resultTupleSchemeFactory()); + } + + private TListSentryPrivilegesResponse success; // required + + /** The set of fields this struct contains, along with convenience methods for finding and manipulating them. */ + public enum _Fields implements org.apache.thrift.TFieldIdEnum { + SUCCESS((short)0, "success"); + + private static final Map byName = new HashMap(); + + static { + for (_Fields field : EnumSet.allOf(_Fields.class)) { + byName.put(field.getFieldName(), field); + } + } + + /** + * Find the _Fields constant that matches fieldId, or null if its not found. + */ + public static _Fields findByThriftId(int fieldId) { + switch(fieldId) { + case 0: // SUCCESS + return SUCCESS; + default: + return null; + } + } + + /** + * Find the _Fields constant that matches fieldId, throwing an exception + * if it is not found. + */ + public static _Fields findByThriftIdOrThrow(int fieldId) { + _Fields fields = findByThriftId(fieldId); + if (fields == null) throw new IllegalArgumentException("Field " + fieldId + " doesn't exist!"); + return fields; + } + + /** + * Find the _Fields constant that matches name, or null if its not found. + */ + public static _Fields findByName(String name) { + return byName.get(name); + } + + private final short _thriftId; + private final String _fieldName; + + _Fields(short thriftId, String fieldName) { + _thriftId = thriftId; + _fieldName = fieldName; + } + + public short getThriftFieldId() { + return _thriftId; + } + + public String getFieldName() { + return _fieldName; + } + } + + // isset id assignments + public static final Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> metaDataMap; + static { + Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> tmpMap = new EnumMap<_Fields, org.apache.thrift.meta_data.FieldMetaData>(_Fields.class); + tmpMap.put(_Fields.SUCCESS, new org.apache.thrift.meta_data.FieldMetaData("success", org.apache.thrift.TFieldRequirementType.DEFAULT, + new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, TListSentryPrivilegesResponse.class))); + metaDataMap = Collections.unmodifiableMap(tmpMap); + org.apache.thrift.meta_data.FieldMetaData.addStructMetaDataMap(list_sentry_privileges_by_user_and_itsgroups_result.class, metaDataMap); + } + + public list_sentry_privileges_by_user_and_itsgroups_result() { + } + + public list_sentry_privileges_by_user_and_itsgroups_result( + TListSentryPrivilegesResponse success) + { + this(); + this.success = success; + } + + /** + * Performs a deep copy on other. + */ + public list_sentry_privileges_by_user_and_itsgroups_result(list_sentry_privileges_by_user_and_itsgroups_result other) { + if (other.isSetSuccess()) { + this.success = new TListSentryPrivilegesResponse(other.success); + } + } + + public list_sentry_privileges_by_user_and_itsgroups_result deepCopy() { + return new list_sentry_privileges_by_user_and_itsgroups_result(this); + } + + @Override + public void clear() { + this.success = null; + } + + public TListSentryPrivilegesResponse getSuccess() { + return this.success; + } + + public void setSuccess(TListSentryPrivilegesResponse success) { + this.success = success; + } + + public void unsetSuccess() { + this.success = null; + } + + /** Returns true if field success is set (has been assigned a value) and false otherwise */ + public boolean isSetSuccess() { + return this.success != null; + } + + public void setSuccessIsSet(boolean value) { + if (!value) { + this.success = null; + } + } + + public void setFieldValue(_Fields field, Object value) { + switch (field) { + case SUCCESS: + if (value == null) { + unsetSuccess(); + } else { + setSuccess((TListSentryPrivilegesResponse)value); + } + break; + + } + } + + public Object getFieldValue(_Fields field) { + switch (field) { + case SUCCESS: + return getSuccess(); + + } + throw new IllegalStateException(); + } + + /** Returns true if field corresponding to fieldID is set (has been assigned a value) and false otherwise */ + public boolean isSet(_Fields field) { + if (field == null) { + throw new IllegalArgumentException(); + } + + switch (field) { + case SUCCESS: + return isSetSuccess(); + } + throw new IllegalStateException(); + } + + @Override + public boolean equals(Object that) { + if (that == null) + return false; + if (that instanceof list_sentry_privileges_by_user_and_itsgroups_result) + return this.equals((list_sentry_privileges_by_user_and_itsgroups_result)that); + return false; + } + + public boolean equals(list_sentry_privileges_by_user_and_itsgroups_result that) { + if (that == null) + return false; + + boolean this_present_success = true && this.isSetSuccess(); + boolean that_present_success = true && that.isSetSuccess(); + if (this_present_success || that_present_success) { + if (!(this_present_success && that_present_success)) + return false; + if (!this.success.equals(that.success)) + return false; + } + + return true; + } + + @Override + public int hashCode() { + List list = new ArrayList(); + + boolean present_success = true && (isSetSuccess()); + list.add(present_success); + if (present_success) + list.add(success); + + return list.hashCode(); + } + + @Override + public int compareTo(list_sentry_privileges_by_user_and_itsgroups_result other) { + if (!getClass().equals(other.getClass())) { + return getClass().getName().compareTo(other.getClass().getName()); + } + + int lastComparison = 0; + + lastComparison = Boolean.valueOf(isSetSuccess()).compareTo(other.isSetSuccess()); + if (lastComparison != 0) { + return lastComparison; + } + if (isSetSuccess()) { + lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.success, other.success); + if (lastComparison != 0) { + return lastComparison; + } + } + return 0; + } + + public _Fields fieldForId(int fieldId) { + return _Fields.findByThriftId(fieldId); + } + + public void read(org.apache.thrift.protocol.TProtocol iprot) throws org.apache.thrift.TException { + schemes.get(iprot.getScheme()).getScheme().read(iprot, this); + } + + public void write(org.apache.thrift.protocol.TProtocol oprot) throws org.apache.thrift.TException { + schemes.get(oprot.getScheme()).getScheme().write(oprot, this); + } + + @Override + public String toString() { + StringBuilder sb = new StringBuilder("list_sentry_privileges_by_user_and_itsgroups_result("); + boolean first = true; + + sb.append("success:"); + if (this.success == null) { + sb.append("null"); + } else { + sb.append(this.success); + } + first = false; + sb.append(")"); + return sb.toString(); + } + + public void validate() throws org.apache.thrift.TException { + // check for required fields + // check for sub-struct validity + if (success != null) { + success.validate(); + } + } + + private void writeObject(java.io.ObjectOutputStream out) throws java.io.IOException { + try { + write(new org.apache.thrift.protocol.TCompactProtocol(new org.apache.thrift.transport.TIOStreamTransport(out))); + } catch (org.apache.thrift.TException te) { + throw new java.io.IOException(te); + } + } + + private void readObject(java.io.ObjectInputStream in) throws java.io.IOException, ClassNotFoundException { + try { + read(new org.apache.thrift.protocol.TCompactProtocol(new org.apache.thrift.transport.TIOStreamTransport(in))); + } catch (org.apache.thrift.TException te) { + throw new java.io.IOException(te); + } + } + + private static class list_sentry_privileges_by_user_and_itsgroups_resultStandardSchemeFactory implements SchemeFactory { + public list_sentry_privileges_by_user_and_itsgroups_resultStandardScheme getScheme() { + return new list_sentry_privileges_by_user_and_itsgroups_resultStandardScheme(); + } + } + + private static class list_sentry_privileges_by_user_and_itsgroups_resultStandardScheme extends StandardScheme { + + public void read(org.apache.thrift.protocol.TProtocol iprot, list_sentry_privileges_by_user_and_itsgroups_result struct) throws org.apache.thrift.TException { + org.apache.thrift.protocol.TField schemeField; + iprot.readStructBegin(); + while (true) + { + schemeField = iprot.readFieldBegin(); + if (schemeField.type == org.apache.thrift.protocol.TType.STOP) { + break; + } + switch (schemeField.id) { + case 0: // SUCCESS + if (schemeField.type == org.apache.thrift.protocol.TType.STRUCT) { + struct.success = new TListSentryPrivilegesResponse(); + struct.success.read(iprot); + struct.setSuccessIsSet(true); + } else { + org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); + } + break; + default: + org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); + } + iprot.readFieldEnd(); + } + iprot.readStructEnd(); + struct.validate(); + } + + public void write(org.apache.thrift.protocol.TProtocol oprot, list_sentry_privileges_by_user_and_itsgroups_result struct) throws org.apache.thrift.TException { + struct.validate(); + + oprot.writeStructBegin(STRUCT_DESC); + if (struct.success != null) { + oprot.writeFieldBegin(SUCCESS_FIELD_DESC); + struct.success.write(oprot); + oprot.writeFieldEnd(); + } + oprot.writeFieldStop(); + oprot.writeStructEnd(); + } + + } + + private static class list_sentry_privileges_by_user_and_itsgroups_resultTupleSchemeFactory implements SchemeFactory { + public list_sentry_privileges_by_user_and_itsgroups_resultTupleScheme getScheme() { + return new list_sentry_privileges_by_user_and_itsgroups_resultTupleScheme(); + } + } + + private static class list_sentry_privileges_by_user_and_itsgroups_resultTupleScheme extends TupleScheme { + + @Override + public void write(org.apache.thrift.protocol.TProtocol prot, list_sentry_privileges_by_user_and_itsgroups_result struct) throws org.apache.thrift.TException { + TTupleProtocol oprot = (TTupleProtocol) prot; + BitSet optionals = new BitSet(); + if (struct.isSetSuccess()) { + optionals.set(0); + } + oprot.writeBitSet(optionals, 1); + if (struct.isSetSuccess()) { + struct.success.write(oprot); + } + } + + @Override + public void read(org.apache.thrift.protocol.TProtocol prot, list_sentry_privileges_by_user_and_itsgroups_result struct) throws org.apache.thrift.TException { + TTupleProtocol iprot = (TTupleProtocol) prot; + BitSet incoming = iprot.readBitSet(1); + if (incoming.get(0)) { + struct.success = new TListSentryPrivilegesResponse(); + struct.success.read(iprot); + struct.setSuccessIsSet(true); + } + } + } + + } + public static class list_sentry_privileges_for_provider_args implements org.apache.thrift.TBase, java.io.Serializable, Cloneable, Comparable { private static final org.apache.thrift.protocol.TStruct STRUCT_DESC = new org.apache.thrift.protocol.TStruct("list_sentry_privileges_for_provider_args"); http://git-wip-us.apache.org/repos/asf/sentry/blob/e90ab35d/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift ---------------------------------------------------------------------- diff --git a/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift b/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift index 2e79e56..3364648 100644 --- a/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift +++ b/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift @@ -196,7 +196,7 @@ struct TListSentryPrivilegesRequest { 4: required string roleName, # get privileges assigned for this role 5: optional TSentryAuthorizable authorizableHierarchy, # get privileges assigned for this role -# Get privileges assigned for this principal name. This principalName should be set to a a role name +# Get privileges assigned for this principal name. This principalName should be set to a role name # or user name depending of which function you call, either list_sentry_privileges_by_role or # list_sentry_privileges_by_user 6: optional string principalName @@ -407,8 +407,16 @@ service SentryPolicyService TListSentryRolesResponse list_sentry_roles_by_group(1:TListSentryRolesRequest request) TListSentryRolesResponse list_sentry_roles_by_user(1:TListSentryRolesForUserRequest request) + # List sentry privileges granted to the given role, filterted + # based on authorization hierarchy if present. TListSentryPrivilegesResponse list_sentry_privileges_by_role(1:TListSentryPrivilegesRequest request) + # List sentry privileges granted to the given user, filterted + # based on authorization hierarchy if present. TListSentryPrivilegesResponse list_sentry_privileges_by_user(1:TListSentryPrivilegesRequest request) + # List sentry privileges granted to the given user and the groups + # the user associated with, filterted based on authorization + # hierarchy if present. + TListSentryPrivilegesResponse list_sentry_privileges_by_user_and_itsgroups(1:TListSentryPrivilegesRequest request) # For use with ProviderBackend.getPrivileges only TListSentryPrivilegesForProviderResponse list_sentry_privileges_for_provider(1:TListSentryPrivilegesForProviderRequest request) http://git-wip-us.apache.org/repos/asf/sentry/blob/e90ab35d/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryMetrics.java ---------------------------------------------------------------------- diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryMetrics.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryMetrics.java index 236a07b..d34340c 100644 --- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryMetrics.java +++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryMetrics.java @@ -109,6 +109,8 @@ public final class SentryMetrics { name(SentryPolicyStoreProcessor.class, "list-privileges-by-role")); final Timer listPrivilegesByUserTimer = METRIC_REGISTRY.timer( name(SentryPolicyStoreProcessor.class, "list-privileges-by-user")); + final Timer listPrivilegesForUserTimer = METRIC_REGISTRY.timer( + name(SentryPolicyStoreProcessor.class, "list-sentry-privileges-by-user-and-itsgroups")); final Timer listPrivilegesForProviderTimer = METRIC_REGISTRY.timer( name(SentryPolicyStoreProcessor.class, "list-privileges-for-provider")); final Timer listPrivilegesByAuthorizableTimer = METRIC_REGISTRY.timer( http://git-wip-us.apache.org/repos/asf/sentry/blob/e90ab35d/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java ---------------------------------------------------------------------- diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java index 3087529..709434c 100644 --- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java +++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java @@ -825,10 +825,11 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { Set privilegeSet = new HashSet(); String subject = request.getRequestorUserName(); - // The 'entityName' parameter is made optional in thrift, so we need to check that is not + // The 'principalName' parameter is made optional in thrift, so we need to check that is not // null before proceed. TSentryResponseStatus status = - checkRequiredParameter(request.getPrincipalName(), "entityName parameter must not be null"); + checkRequiredParameter(request.getPrincipalName(), + "principalName parameter must not be null"); if (status != null) { response.setStatus(status); return response; @@ -880,6 +881,74 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { return response; } + @Override + public TListSentryPrivilegesResponse list_sentry_privileges_by_user_and_itsgroups( + TListSentryPrivilegesRequest request) throws TException { + final Timer.Context timerContext = sentryMetrics.listPrivilegesForUserTimer.time(); + TListSentryPrivilegesResponse response = new TListSentryPrivilegesResponse(); + + // The 'principalName' parameter is made optional in thrift, so we need to + // check that is not null before proceed. + TSentryResponseStatus status = checkRequiredParameter(request.getPrincipalName(), + "principalName parameter must not be null"); + if (status != null) { + response.setStatus(status); + return response; + } + + String requestor = request.getRequestorUserName(); + String principalName = request.getPrincipalName().trim(); + Set privilegeSet = new HashSet<>(); + + try { + validateClientVersion(request.getProtocol_version()); + + // To allow listing the privileges, the requestor user must be part of + // the admins group, or the requestor user must be the same user requesting + // privileges for. + Set requestorGroups = getRequestorGroups(requestor); + Boolean admin = inAdminGroups(requestorGroups); + if(!admin && !principalName.equalsIgnoreCase(requestor)) { + throw new SentryAccessDeniedException("Access denied to " + requestor); + } + + // Get the groups the user is associated with. + Set principalGroups; + if (principalName.equals(requestor)) { + principalGroups = requestorGroups; + } else { + principalGroups = getRequestorGroups(principalName); + } + Set principalUsers = new HashSet<>(); + principalUsers.add(principalName); + privilegeSet.addAll(sentryStore.listSentryPrivilegesByUsersAndGroups( + principalGroups, principalUsers, + new TSentryActiveRoleSet(true, null), + request.getAuthorizableHierarchy())); + response.setPrivileges(privilegeSet); + response.setStatus(Status.OK()); + } catch (SentryThriftAPIMismatchException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); + } catch (SentryAccessDeniedException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.AccessDenied(e.getMessage(), e)); + } catch (SentryInvalidInputException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.InvalidInput(e.getMessage(), e)); + } catch (SentryUserException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.AccessDenied(e.getMessage(), e)); + } catch (Exception e) { + String msg = "Unknown error for request: " + request + ", message: " + e.getMessage(); + LOGGER.error(msg, e); + response.setStatus(Status.RuntimeError(msg, e)); + } finally { + timerContext.stop(); + } + return response; + } + /** * This method was created specifically for ProviderBackend.getPrivileges() and is not meant * to be used for general privilege retrieval. More details in the .thrift file. http://git-wip-us.apache.org/repos/asf/sentry/blob/e90ab35d/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java ---------------------------------------------------------------------- diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java index 1eda41b..1722109 100644 --- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java +++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java @@ -2400,29 +2400,40 @@ public class SentryStore implements SentryStoreInterface { return result; } - Set listAllSentryPrivilegesForProvider(Set groups, Set users, + public Set listSentryPrivilegesByUsersAndGroups( + Set groups, Set users, TSentryActiveRoleSet roleSet, + TSentryAuthorizable authHierarchy) throws Exception { + return convertToTSentryPrivileges(listSentryPrivilegesForProviderCore( + groups, users, roleSet, authHierarchy)); + } + + Set listAllSentryPrivilegesForProvider( + Set groups, Set users, TSentryActiveRoleSet roleSet) throws Exception { return listSentryPrivilegesForProvider(groups, users, roleSet, null); } - - public Set listSentryPrivilegesForProvider(Set groups, Set users, - TSentryActiveRoleSet roleSet, TSentryAuthorizable authHierarchy) throws Exception { + public Set listSentryPrivilegesForProvider( + Set groups, Set users, TSentryActiveRoleSet roleSet, + TSentryAuthorizable authHierarchy) throws Exception { Set result = Sets.newHashSet(); - Set rolesToQuery = getRolesToQuery(groups, users, roleSet); - List mSentryPrivileges = getMSentryPrivileges(SentryPrincipalType.ROLE, rolesToQuery, authHierarchy); - for (MSentryPrivilege priv : mSentryPrivileges) { - result.add(toAuthorizable(priv)); - } - - mSentryPrivileges = getMSentryPrivileges(SentryPrincipalType.USER, users, authHierarchy); + Set mSentryPrivileges = listSentryPrivilegesForProviderCore( + groups, users, roleSet, authHierarchy); for (MSentryPrivilege priv : mSentryPrivileges) { result.add(toAuthorizable(priv)); } - return result; } + private Set listSentryPrivilegesForProviderCore(Set groups, Set users, + TSentryActiveRoleSet roleSet, TSentryAuthorizable authHierarchy) throws Exception { + Set privilegeSet = Sets.newHashSet(); + Set rolesToQuery = getRolesToQuery(groups, users, roleSet); + privilegeSet.addAll(getMSentryPrivileges(SentryPrincipalType.ROLE, rolesToQuery, authHierarchy)); + privilegeSet.addAll(getMSentryPrivileges(SentryPrincipalType.USER, users, authHierarchy)); + return privilegeSet; + } + public boolean hasAnyServerPrivileges(Set groups, Set users, TSentryActiveRoleSet roleSet, String server) throws Exception { Set rolesToQuery = getRolesToQuery(groups, users, roleSet); http://git-wip-us.apache.org/repos/asf/sentry/blob/e90ab35d/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreInterface.java ---------------------------------------------------------------------- diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreInterface.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreInterface.java index 0b4f4aa..3a68eb6 100644 --- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreInterface.java +++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreInterface.java @@ -216,12 +216,14 @@ public interface SentryStoreInterface { Set getAllTSentryPrivilegesByUserName(String userName) throws Exception; /** - * Set of Sentry Privileges for provider. - * @param groups - * @param users - * @param roleSet - * @param authHierarchy - * @return + * Gets sentry privileges granted to the given user and groups from the + * persistence layer. This method is only intent to be used for provider. + * @param groups the set of group names + * @param users the set of user names + * @param roleSet the active roleSet + * @param authHierarchy filter push down based on auth hierarchy (optional) + * @return a set of sentry privilege string belongs to the given users + * and groups. * @throws Exception */ Set listSentryPrivilegesForProvider(Set groups, @@ -231,6 +233,24 @@ public interface SentryStoreInterface { throws Exception; /** + * Similar to {@link SentryStoreInterface#listSentryPrivilegesForProvider(Set, Set, + * TSentryActiveRoleSet, TSentryAuthorizable)}, but returns a set of thrift sentry + * privilege objects instead. + * @param groups the set of group names + * @param users the set of user names + * @param roleSet the active roleSet + * @param authHierarchy filter push down based on auth hierarchy (optional) + * @return a set of thrift sentry privilege objects belongs to the given + * users and groups. + * @throws Exception + */ + Set listSentryPrivilegesByUsersAndGroups(Set groups, + Set users, + TSentryActiveRoleSet roleSet, + TSentryAuthorizable authHierarchy) + throws Exception; + + /** * True if the given set of group * @param groups * @param users http://git-wip-us.apache.org/repos/asf/sentry/blob/e90ab35d/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java ---------------------------------------------------------------------- diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java index d8c0ab4..a299e00 100644 --- a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java +++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java @@ -4273,6 +4273,49 @@ public class TestSentryStore extends org.junit.Assert { } @Test + public void testListSentryPrivilegesForUsersAndGroups() throws Exception { + String roleName = "role1"; + String groupName = "list-privs-g1"; + String userName = "u1"; + String grantor = "g1"; + sentryStore.createSentryRole(roleName); + + TSentryPrivilege privilege1 = new TSentryPrivilege(); + privilege1.setPrivilegeScope("TABLE"); + privilege1.setServerName("server1"); + privilege1.setDbName("db1"); + privilege1.setTableName("tbl1"); + privilege1.setAction("SELECT"); + privilege1.setCreateTime(System.currentTimeMillis()); + sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege1, null); + + TSentryPrivilege privilege2 = new TSentryPrivilege(); + privilege2.setPrivilegeScope("SERVER"); + privilege2.setServerName("server1"); + privilege2.setCreateTime(System.currentTimeMillis()); + sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.USER, userName, privilege2, null); + + Set groups = Sets.newHashSet(); + TSentryGroup group = new TSentryGroup(); + group.setGroupName(groupName); + groups.add(group); + sentryStore.alterSentryRoleAddGroups(grantor, roleName, groups); + + // list-privs-g1 has privilege1 + // u1 has privilege2 + Set expectedPrivs = new HashSet<>(); + expectedPrivs.add(privilege1); + expectedPrivs.add(privilege2); + + assertEquals(expectedPrivs, + sentryStore.listSentryPrivilegesByUsersAndGroups( + Sets.newHashSet(groupName), + Sets.newHashSet(userName), + new TSentryActiveRoleSet(true, new HashSet<>()), + null)); + } + + @Test public void testListSentryPrivilegesForProviderForUser() throws Exception { String userName1 = "list-privs-user1"; String userName2 = "list-privs-user2";